It has been 5 years since docker brought containers into the mainstream production environments that changed the way of application development and deployment. This link gives a quick overview on why companies are considering container technologies. I can say that i lagged behind in exploring docker so i tried some hands-on with docker recently so i wanted to post a few articles on the things i tried. Docker has great documentation so i will try to keep my posts simple and concise and give those documentation links wherever applicable.

In this post, we will look at docker installation and ways to create docker images and containers. I used Ubuntu 17.10 (artful) VM with docker version 17.12.1-ce in Windows 10 based laptop.

Installation:

Docker is available in 2 editions Docker Community Edition (CE) and Docker Enterprise Edition (EE). Docker CE is for developers to explore containers and Docker EE is for enterprise development. Docker CE updates are available via two channels:

Docker daemon also needs to connect to internet to pull and push images. Do following to let docker to use your proxy. Create http-proxy.conf with following contents as root user(sudo su) and copy to directory /etc/systemd/system/docker.service.d. Refer to this link for more information.

Image is like an installation including everything like code, configuration, runtime etc and container is running instance of an image.

Use docker run to create a container from an image. For example, issue docker run hello-worldas shown below. Docker first checks for local availability of image and downloads from docker registry if the same is not found.

Do docker ps -a to see all containers and use docker ps to see only running containers. In above example, the container is created from hello-world image, prints the message and exits the container. Since this image is not available in local it gets downloaded as shown above.

Do docker images to see all local images.

Now let us start an interactive ubuntu container using docker run -ti ubuntu /bin/bash. This starts an interactive container and also downloads an ubuntu image if not present in local. The -i option makes container interactive and the -t option attaches it to terminal.

Observe hostname is nothing but the container id using docker ps.

To stop container, do docker stop <<containerid>>

To restart container, do docker start <<containerid>>

To attach the started container to terminal, do docker attach <<containerid>>

Creating an Image:

Each docker image will have a base image and can be built manually or using a file called Dockerfile. We will see both of these approaches using a sample nodejs application. Note that its always recommended to use official image provided by nodejs.

Manual Creation:

Do following to spin up a new container based on ubuntu image and install nodejs v8. -p option is used for port forwarding i.e. connecting to 8888 port (first argument in command) on docker host will forward the request to port 8888 in docker container. -v option mounts the file system so that container can access it. in my case, i have sample nodejs module in directory /home/siva/mywork (first argument in command) so i mounted this directory to access it in the container using same path.

Now our nodejs application container is up and running. To create a docker image from this container, do

exit the container and find container id using docker ps -a.

docker commit <<containerid>>

docker images (find the newly created image id)

docker tag <> mynodejs (tag the image to meaningful name)

docker images

Using Docker file:

Creating docker images manually may not be possible always and also collaboration can become difficult with the above approach. So docker provides another way of building an image from file called Dockerfile that can have a set of instructions. All manual steps we did earlier can be incorporated in Dockerfile and build image from it.

The mynodejs image created above, does not start node server as soon as container starts. Observe that we started the node server manually by issuing node movieservice.js command. We will make it happen using a Dockerfile and build a new image from it. So create a file named Dockerfilewith following instructions. I have taken this example to make a point that even images created by us can be a base image. Note that Dockerfile should always start with FROMinstruction specifying base image. CMDinstruction is used to specify command to be executed when new container is started..

In previous blog, we started with brief introduction of docker platform and also saw how to build images and run containers. In this blog, we will see how to setup an Oracle SOA Suite 12.2.1.3 environment with docker containers using Oracle official docker images. The README files available with official images have lot of information and one could easily create the docker images. So i just want to collate all this information here for quick reference.

I used Ubuntu 17.10 (artful) VM with docker version 17.12.1-ce in Windows 10 based laptop.

Installation:

Typical steps to be followed to install Oracle SOA Suite 12.2.1.3 in laptop:

Install JRE 8/JDK 8

Install the certified database.

Install Oracle SOA Suite/BPM Suite/OSB as per requirements.

Run RCU to create the required schemas

Configure the domain

In the world of docker the above steps translate to the following steps.

Build JRE 8 docker image

Build Oracle DB docker image

Build FMW infrastructure docker image

Build SOA Suite docker image

Start DB container

Start Admin Server container

Start Managed Server container

To start with, download official dockerfiles from https://github.com/oracle/docker-images and we use docker images related to OracleJava, OracleDatabase, OracleFMWInfrastructure and OracleSOASuite. Each of these folders have necessary scripts for installation but does not contain executables. Have all these folders copied into docker-images directory.

Build JRE 8 docker image:

Download server-jre-8u161-linux-x64.tar.gz from link and copy into directory OracleJava/java-8.

Navigate to the above directory and run sh build.sh. We will observe the docker image oraclelinux:7-slim getting pulled from docker hub as the docker file contains instruction FROM oraclelinux:7-slim.

Once the build is complete we can see a new image available with tag oracle/serverjre:8.

Note that OracleJava folder also have docker files required to build JRE 9.

Build Oracle DB docker image:

Download files linuxamd64_12102_database_1of2.zip and linuxamd64_12102_database_2of2.zip from link and copy into directory OracleDatabase/dockerfiles/12.1.0.2. I had used 12.1.0.2 version though the latest is 12.2.0.1 because of smaller size.

Navigate to the directory OracleDatabase/dockerfiles and issue the following command. Option -v indicates the db version and the option -e represents Enterprise Edition.

sh buildDockerImage.sh -v 12.1.0.2 -e

Open OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee to check the instructions that get executed during the image build. Observe oraclelinux:7-slim as the base image in this docker file.

Once the build is complete we can see a new image available with tag oracle/database:12.1.0.2-ee.

Note that OracleDatabase folder also have docker files required to build images based on versions 12.2.0.1 and 11.2.0.2 (XE).

Build FMWInfrastructure docker image:

Download file fmw_12.2.1.3.0_infrastructure_Disk1_1of1.zip from link and copy into directory OracleFMWInfrastructure/dockerfiles/12.2.1.3.

Navigate to the directory OracleFMWInfrastructure/dockerfiles and issue the following command. Option -v indicates the version.

sh buildDockerImage.sh -v 12.2.1.3

Open OracleFMWInfrastructure/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/serverjre:8 is the base image and this is the exact reason why we built jre image first.

Once the build is complete we can see a new image available with tag oracle/fmw-infrastructure:12.2.1.3.

Note that OracleFMWInfrastructure folder also have docker files required to build images based on versions 12.2.1.2.

Build SOA Suite docker image:

Download files fmw_12.2.1.3.0_soa.jar and fmw_12.2.1.3.0_osb.jar from link and copy into directory OracleSOASuite/dockerfiles/12.2.1.3. Note that these installers are not quick start installers.

Navigate to the directory OracleSOASuite/dockerfiles and issue the following command. Option -v indicates the version.

sh buildDockerImage.sh -v 12.2.1.3

Open OracleSOASuite/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/fmw-infrastructure:12.2.1.3 is the base image and this is the exact reason why we built that image first.

Once the build is complete we can see a new image available with tag localhost/oracle/soasuite:12.2.1.3.

Note that OracleSOASuite folder also have docker files required to build images based on versions 12.2.1.2.

By creating docker images for DB and SOA Suite, we are done with the installation and yet to configure DB instance, run RCU and configure SOA/OSB domain. Note that the image oracle/fmw-infrastructure has one pre-configured domain named base_domain.

We use docker-compose tool to create containers based on the above images. A sample yaml file docker-compose.yml is located in OracleSOASuite/samples directory.

Prerequisite:

Edit ../setenv.sh and set or modify the required env variables and do source ../setenv.sh. At minimum, we need to set DC_ORCL_SYSPWD, DC_ADMIN_PWD and DC_RCU_SCHPWD. Note that i had to set DC_HOSTNAME to ip address like 172.18.0.1 instead of hostname and localhost. Do this as first step before starting up any of the containers below.

Start DB container:

The docker-compose.yml file defines a service named soadb that can be used to create DB container. Modify this entry as below:

When DB container starts for first time, it configures the DB instance, TNS listener and creates some dummy password for SYS user. The logs can be seen using command docker logs -f soadb.

Execute docker exec <<container id>> /opt/oracle/setPassword.sh <<pwd>> to reset password for SYS user. Make sure that DB container is running before executing this command. The location of this script file can be derived from the instructions found in OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee.

After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands.

docker-compose up -d soadb

docker start <<container id>>

Connect to db using command sqlplus sys/fusion@//172.18.0.1:1521/soadb as sysdba to make sure that DB is up and running.

Command docker stopcan be used to stop the container.

Start Admin Server container:

docker-compose.yml file has soaas as one of the services which can be used to create the container. Use command docker-compose up -d soaas to start the admin server container.

When admin server container starts for first time, it runs RCU to create the required schemas by connecting to db container and also configures a new domain ,. The logs can be seen using command docker logs -f soaas.

After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands docker-compose up -d soaasdocker start <>

Verify you are able to access admin console using http://localhost:7001/console and observe that AdminServer is up and running. The password for admin console will be the value given for DC_ADMIN_PWD in setenv.sh.

In data sources, observe that prefix SOA01 is used for SOAINFRA, MDS and others which is the value given for DC_RCU_SOAPFX in setenv.sh.

Command docker stopcan be used to stop the container.

Start Managed Server container:

Note that i had to use minimum 6 GB RAM for my ubuntu VM to bring DB, Admin and managed server containers.

docker-compose.yml file has soams as one of the services which can be used to create the container. Use command docker-compose up -d soams to start the managed server container.

The logs generated in managed server container can be seen using command docker logs -f soams.

After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands

docker-compose up -d soams

docker start <<container id>>

Access admin console using http://localhost:7001/console and observe that soa_server1 is up and running and also we can see a soa_cluster configured.

Command docker stopcan be used to stop the container.

Observations:

If we want to access the admin console from host OS, we need to configure the port forwarding rules for the VM as shown below.

When we are installing DB or SOA Suite in laptop the installation wizard guide us through the steps which makes life easier. But when when we want to use docker files to build images we need to come up with script for the installation and configuration. Typically developer may not have this much acquaintance with these kind of installation scripts and i feel admin help is required. I hope Oracle keep updating the their github repository with newer docker files and scripts whenever a new release is available.

I feel debugging containers is difficult and need to look more into this aspect. Initially, when i created VM i used 3 GB RAM and with this RAM i was able to bring up DB and Admin server container. But when i starting managed server it got stuck and docker logs also did not help me to identify this issue. It was a complete guess by me and increased the RAM to 6 GB which made the things smoother.

The docker files uses yum tool which is not available in ubuntu that means, we may need to come up different docker files for different linux distributions and for Windows OS.

The oracle official docker images for Java, DB and FMW Infrastrcture has oraclelinux as the base image. Does that mean oracle does not support in other linux distributions like ubuntu etc. I need to check on this and i welcome readers to let me know if anyone has information on this.

Typically we might come across a need to move vdi files to different disks or drive for accommodating more memory needs. This can be done using the following steps. make sure that VM is in powered off mode.

First the vdi needs to be detached from the VM as shown below.

Go to File-> Virtual Media Manager and remove the vdi which we are planning to move.

Now move the vdi file to desired location. In my case, the initial location of the vdi is C:\Users\svgonugu\VirtualBox VMs\Ubuntu and i moved this vdi to D drive.

Again go to VM Settings -> Storage and click on add hard disk button high lighted below. Choose the above vdi which is moved to D drive and click OK. Now you should be restart the VM and proceed with your work with no issues.

Increasing the RAM used by VM:

There are so many instances where we might want to increase the RAM allocated to VM after the creation typically determined by the kind of usage. We can modify this in VM settings using the steps below. Make sure that VM is in powered off mode.

Navigate to System -> Motherboard and increase the base memory value as required and click OK.

You can verify this memory settings by issuing cat /proc/meminfo or using free -m command.

The commented lines in the above code is another way of achieving the same. Pass root task id or any child task id for this method call. We can verify this attachment in WFATTACHMENT table as shown below.

When roottaskid is used to add the attachments, the task form will show this attachment for all child tasks.

addAttachment API is inserting an entry into WFATTCHMENT table even when there is no task id passed.

The above behavior can be used in a scenario when we want to add task attachment task creation. To make this works, set the correlation id in attachment type like below and use the same correlation id during task creation.

attachmentType.setCorrelationId(correlationId);

By default Admin, Approvers, Assignees, Reviewers, Owner and Creator can add attachments to a task which is configured in Access tab of human task as shown below. We will get an exception when unauthorized user trying to add the attachment as shown below.

<Nov 14, 2017, 2:45:36,118 PM IST> <Error> <oracle.soa.services.workflow.persistency> <BEA-000000> <<.> exception.code:30327exception.type: ERRORexception.severity: 2exception.name: Current user does not have the ADD privilege on task attribute: ATTACHMENTS.exception.description: Current user siva does not have ADD privilege for ATTACHMENTSon task with taskId b4ce32d1-d2e9-4f73-abc0-18c1447facf4.exception.fix: Grant the ADD access for the current user/role. If the error persists, contact Oracle Support Services.

BPM worklist also provides a search on these custom attributes as shown below. So when we are creating any custom worklist or in some other scenarios we can always populate these custom attributes using java apis.

When we update only one custom attribute its setting other values to null. To verify this, you can do first iteration by passing both attribute values and pass only one of these attribute values in second iteration of method calls.

When custom attributes are set during human task creation using apis, same set of values will be copied to roottaskid and all child tasks.

In this post, we will see how to use BPM java api to add comments to human tasks.

Task Service provides different methods to add comments to a human task as shown below. I will show you how to make use of the method accepting CommentType as argument and using other methods is simple and straight forward.

By default, Admin, Assignees, Owner, Creator, Approvers and Reviewers will have the write access and this can be modified in Access tab of human task definition as shown below.

When a user attempt to add comments who does not have access, we will observe the following error in logs. We can reproduce this issue by turning off the write access for Approvers and Assignees in Access tab of human task. Also create the workflowContext using the user siva as siva is the assigness and approver here.

<Nov 14, 2017, 2:45:36,118 PM IST> <Error> <oracle.soa.services.workflow.persistency> <BEA-000000> <<.> exception.code:30327exception.type: ERRORexception.severity: 2exception.name: Current user does not have the ADD privilege on task attribute: COMMENTS.exception.description: Current user siva does not have ADD privilege for COMMENTS on task with taskId b4ce32d1-d2e9-4f73-abc0-18c1447facf4.exception.fix: Grant the ADD access for the current user/role. If the error persists, contact Oracle Support Services.

To test this code, create a task and query the WFTASK table using roottaskid as shown below. Observe that 2 child tasks are created for the roottaskid as we are using parallel participant with 2 approvers.

Now execute the above method by passing roottaskid. Query the WFTASK table again to verify all tasks are marked as WITHDRAWN as shown below.

Observations:

Using roottaskid for withdrawal will result into withdraw of all child tasks.

The above statement is true even if some of the child tasks are in approved/rejected state. In this case, using roottaskid will withdraw only the eligible child tasks.

The above statement is also true even if some of the child tasks are in ALERTED state. Typically tasks get into this state because BPM runtime unable to resolve the assignee. In the following screenshot, the user siva1 is not existing in my server hence the created task is in ALERTED state.

By default, Admin, Creator and Owner of the task can do withdraw of a task. we can see this information in Access tab of human task editor in jdeveloper. Observe the usage of Admin WorkflowContext in the above code.

We will get an error like below when unauthorized user try to withdraw the task. To reproduce the error, we can create the task using weblogic user and try to withdraw that user using another user who is not admin, creator and assignee.

<Nov 13, 2017, 6:19:03,842 PM IST> <Error> <oracle.soa.services.workflow.query> <BEA-000000> <<.> exception.code:30513exception.type: ERRORexception.severity: 2exception.name: Insufficient privileges to access the task information for this task. The task must have either expired or assigned to another user.exception.description: User siva cannot access the task information for task: fd1df834-04b3-4a5f-a7b5-8bbf83f8dc72.exception.fix: Ensure that the user has been granted appropriate privileges to access the task information for this task or check on expiration and esclation policies.

We can get owner, creator and assignee details for a task using following sql query against soainfra schema.

Often there is a need to interact with credential or policy store from java/ADF code which requires code source grants/system policies. Typically the application’s jazn file will have these values like the following.

Once the human task instance is created, we can perform several actions like:

Withdraw

Delegate

Update Task outcome

Add Attachment

Add Comments

Query Task details

etc..

If we observe these actions, we can guess that all users of the system should not be able to perform these actions and should be controlled through roles/privileges/permissions. So all these actions requires a user context to determine these permissions. BPM APIs accept this user context in form of WorkflowContext. WorkflowContext is a session object maintained by SOA server tied to an user.

How to create workflowcontext for a specific user?

Task Query service has authenticate method that accepts user credentials and returns a WorkflowContext as shown below.

In some of the cases, password may not be available to get the user context but the task actions should be performed by this user. In those cases, we can create admin workflow context and use authenticateOnBehalfOf method of Task Query Service as shown below. Here the user weblogic is admin i.e. having BPMWorkflowAdmin role.

Search for BPMWorkflowAdmin role by choosing soa-infra as application stripe.

Click Edit to assign this role to an user and click Add. Note that weblogic user will have admin role by default so the screenshots presented here are only demo purpose.

Search for the user weblogic and click ok.

You will observe the following error when try to use authenticateOnBehalfOf method using the workflowcontext created using non-admin user.

ORABPEL-30509

exception.code:30509exception.type: ERRORexception.severity: 2exception.name: Insufficient privileges to authenticate on behalf of another user.exception.description: User siva cannot authenticate on behalf of user svgonugu without admin privileges.exception.fix: Only users with admin privileges can authenticate on behalf of another user.

Do we have any timeout settings for WorkflowContext?

As mentioned earlier, Workflowcontext is a session object maintained by SOA/BPM server in heap memory. So creating more and more workflowcontexts might cause out of memory errors on the server. So whenever we are done with workflowcontext we should always destroy the context. Also BPM runtime has a default timeout of 60 min after which the workflowcontext object is destroyed. This timeout setting can be modified by navigating to Weblogic Domain -> <<domain name>> -> System MBean Browser -> Application Defined MBeans -> oracle.as.soainfra.config -> Workflow Config -> WorkflowServiceSesionTimeoutInMinutes as shown below.

If we use workflowcontext after timeout, we will get WorkflowException.

In previous posts (post1 & post2), we have seen how to use SOAP and Remote clients to work with BPM Java APIs. One immediate problem we can see is using server urls in the code which makes deployment across environments difficult. In this post, we will see how to take care of this.

WorkflowServiceClientFactory class has different overloaded methods to get the client. When we don’t pass any properties like below, BPM run time will look for a file wf_client_config.xml in classpath of ear file.

We can create wf_client_config.xml with the following contents having the server details and information pertaining to both SOAP and REMOTE clients. The file can be placed in a folder like conf under our project folder.